Enabling Neutron advanced services

IBM® Cloud Manager with OpenStack does not enable virtual private network-as-a-service (VPNaaS) by default and does not support firewall-as-a-service (FWaaS). Use this information to enable VPNaaS.

Procedure

Enable VPNaaS.
To enable VPNaaS, change the following JSON attributes in your environment file.
  • Under override_attributes.openstack.network.enable_vpn, change the value to true.
      "enable_vpn": true,
  • Under override_attributes.openstack.network.service_plugins, add the VPNaaS service plug-in. 
    "service_plugins": [
          "neutron.services.l3_router.l3_router_plugin.L3RouterPlugin",
          "neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPlugin",
          "neutron_vpnaas.services.vpn.plugin.VPNDriverPlugin"
        ],
  • Under override_attributes.openstack.network.service_provider, add the VPNaaS service provider.
      "service_provider": [
          "LOADBALANCER:Haproxy:neutron_lbaas.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default",
          "VPN:vpnaas:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default"
        ],
  • Update override_attributes.openstack.network.vpn.vpn_device_driver to ['neutron_vpnaas.services.vpn.device_drivers.fedora_strongswan_ipsec.FedoraStrongSwanDriver'].
  • Update override_attributes.openstack.network.platform.vpn_device_driver_packages to 'strongswan'.
  • Add override_attributes.openstack.network.platform.vpn_device_driver_services to "empty string", like the following example:
    "vpn_device_driver_services": [

  ]

What to do next

Note:
  1. Ensure L3 is disabled when VPN is enabled, or there might be a potential conflict or synchronization problem between the L3 and VPN agents.
  2. If the service is not enabled, ensure that the service plug-in and service provider are not added or there will be Neutron server problems.
  3. Neutron firewall-as-a-service (FWaaS) and metering is not supported in IBM Cloud Manager with OpenStack 4.3.
  4. IBM Cloud Manager with OpenStack version 4.3 supports Neutron load balancer as a service (LBaaS) version 1 command only. The version 2 LBaaS command is not supported.